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Amended claims follow; 

1 . (Currently Amended) A computer program product embodied on a tangible 
computer readable medium operable to detect malicious computer program activity, 
comprising: 

logging code operable to log a stream of external program calls; 

primary set. identifying code operable to identity, within said stream of external 
program cal ls, a primary'- set of one or more external program calls matching one or more 
rules indicative of malicious computer program activity from among a set of .rules; 

secondary set identifying code operable to identify, within said stream, at least 
one secondary set of one or more external program calls associated with said primary set 
of one or more external program calls;[[ and]] 

modifying code operable to modify said set of rules such that said at least one 
secondary set of one or more external program cal ls are more strongly associated with 
malicious computer program activity; 

promoting code operable to determine whethe r said modifie d set of rules 

1 i -' mote said modi tied set of rides from a 

temporary set to a permanent set if it is determined that said modified set, of rules 
decreases said malicious network traffic: and 

additional promoting code operable to determine whether said modified set of 
rules slows mat ware propagation, and to promote said modified set of rides from said 
temporary set to said permanent set if it is determined that said modified set of rules 
slows said mahvare \ r. sp a gat ion; 

wherein one of said at least one secondary set of one or more ex ternal program 
calls precedes said primary set of one or more external program cal ls within said stream 
of external program calls; 

wherein said set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program calls, said new rule thereafter being used 
in addition u oth ;i rules \ ithin said set of rules. 
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2, (Cancel led) 

3. (Original) A computer program product as claimed hi claim i, wherein said 
external, program calls are application program interlace calls to an operating system. 

4 (Original) A computer program product as claimed in claim 1, wherein each of 
said external program calls has one or more characteristics compared against said set of 
rules. 

5. (Original) A computer program product, as claimed in claim 4, wherein said one 
or more characteristics include: 

a call name; 

a return address; 

one or more parameter values; 

and one or more returned results. 

6. (Original) A computer program product as claimed in claim 1 , wherein rules 
within said set of rules specify score values of external program calls having 
predetermined characteristics and a set of one or more external program calls is identified 
as corresponding to malicious computer program activity if said set of one or more 
external program calls has a combined score value exceeding a threshold level. 

7. (Previously Presented) A computer program product as claimed in claim 6. 
wherein score values within a set of rules associated with said secondary set of one or 
more external program calls are increased to more strongly associate said secondary set 
of externa! program calls with malicious computer program activity. 

8. (Original) A computer program product, as claimed in claim I, wherein said set of 
rules include at least one of: 

one or more pattern matching rules; and 
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one or more regul i sxpre? oon mles. 

9. {Original) A computer program product as claimed in claim 1 , wherein said set of 
rules are responsive to ordering of externa! program calls. 

1 0. (Original) A computer program product as claimed in claim I, wherein said 
modifying code dynamically adapts said set of rules in response to detected streams of 
external program calls performing malicious computer program activity. 

1 1 . (Previously Presented) A computer program product as claimed in claim L 
wherein at least changes within said set of rules are transmitted to one or more remote 
computers such drat said one or more remote computers can use said modified set. of rules 
without having to suffer said malicious computer program activity. 

1 2. (Original ) A computer program product as claimed in claim 1 , wherein changes 
within said set of rules are transmitted to a rule supplier. 

1 3. (Original) A computer program product as claimed in claim 1 , wherein said 
stream of external program calls are logged following emulation of execution of a 
computer program. 

14. (Cancelled) 

15. (Original) A computer program product as claimed in claim .1, comprising starting 
point identify ing code operable to identify a starting point of malicious computer 
program activity within said stream of external program calls. 

.1 6. (Original ) A computer program product as claimed in claim 1 5, wherein said 
starting point corresponds to one of: 

starting execution of a computer tile; and 

a switch of memory address region from which program instruction are executed. 
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17. (Original) A computer program product as claimed in claim 1 , wherein said set of 
rules is subject to a validity check after modification to determine if said set of rules is 
more effectively detecting malicious computer program activity. 

1 8. (Currently Amended) A method of detecting malicious computer program 
activity, said method comprising the steps of; 

logging a stream of externa! program calls; 

identifying within said stream of external program calls a primary set of one or 
more external program calls matching one or more rules indicative of malicious computer 
program activity from among a set of rules; 

identifying within said stream at least one secondary set of one or more external 
program calls associated with said primary set of one or more external program calls;[[ 
and]] 

modifying said set of rules such that said at least one secondary set of one or more 
external program calls are more strongly associated with malicious computer program 
activity; 

i € nodified set of rules dc t J 

traffic, and promoting said modified set of rules from a temporary set to a permanent set 
if it is determined that said modified set of rules decreases said malicious network traffic; 
and 

determining whether said modified set of rules slows mahvare propagation, and 
promoting said modified set of rules from said temporary set to said permanent set if it is 



determined that S - i "v d ^et of utles slow - ■• nal no p ro pagation; 

wherein one of said at least one secondary set of one or more external program 
cal ls precedes said primary set of one or more external program calls within said stream 
of external program calls; 

wherein said set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program cails, said new rule thereafter being used 
tn addition to other rules within said set of rules. 
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19. (Cancelled) 

20. (Original) A method as claimed in claim 1 8, wherein said external, program calls 
are application pro grain interface calls to an operating system. 

2 J . (Original) A method as claimed in claim i 8, wherein each of said external 
program calls has one or more characteristics compared against said set of rules. 

22. (Original) A. method as claimed in claim 2 1 , wherein said one or more 
characteristics include: 

a call name; 

a return address; 

one or more parameter values; and 
one or more returned results. 

23 , (Original) A method as claimed in claim 18, wherein rules within said set of rules 
specify score values of external program cal ls having predetermined characteristics and a 
set of one or more external program calls is identified as correspondi ng to malicious 
computer program activity if said set of one or more external program calls has a 
combined score value exceeding a threshold level 

24. (Previously Presented) A method as claimed in claim 23, wherein score values 
within a set of rules associated with said secondary set of one or more external program 
calls are increased to more strongly associate said secondary' set of external program calls 
with malicious computer program activity. 

25. (Previously Presented) A method as claimed in claim 1 8, wherein said set of roles 
include at least one of. 

one or mote pattern matching rules; and 
one or more regular expression rules. 
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26. (Original ) A method as claimed in claim 18, wherein said set of rules are 
responsive to ordering of external program calls. 

27. (Original) A method as claimed in claim i 8 5 wherein said step of modifying said 
set of rules dynamically adapts said set of .rules in response to detected streams of 
external program calls performing malicious computer program activity. 

28. (Previously Presented} A method as claimed in claim 18, wherein at least changes 
within said set of rides are transmitted to one or more remote computers such thai said 
one or more remote computers can use said modified set of rules without having to suffer 
said malicious computer program activity. 

29. (Original) A method as claimed in claim 1 8, wherein changes within said set of 
rules are transmitted to a rule supplier. 

30. (Original) A method as claimed in claim 18, wherein said stream of external 
program calls are logged following emulation of execution of a computer program. 

31. (Cancelled) 

32. (Original) A method as claimed in claim 1 8, comprising identifying a starting 
point of malicious computer program activity within said stream of external program 
calls. 

33. (Original) A method as claimed in claim 32, wherein said starting point 
corresponds to one of: starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

34. (Original) A method as claimed in claim 18, wherein said set of rules is subject to 
a validity check after modification to determine if said set of rules is more effectively 
detecting malicious computer program activity. 
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35. (Currently Amended) A data processing apparatus operable to detect malicious 
computer program activity:, said apparatus comprising: 

logging logic operable to log a stream of external program calls; 

primary set identifying logic operable to identify, within said stream of external 
program calls, a primary set of one or more external program calls matching one or more 
rules indicative of malicious computer program activity from among a set of rules; 

secondary set identifying logic operable to identify, within said stream, at least 
one secondary set of one or more external program calls associated with said primary set 
of one or more external program calls;[[ and]] 

modifying logic operable to modify said set of rules such that said at least one 
secondary set of one or more external program calls are more strongly associated with 
malicious computer program activity; 

promoting lo gic operable to determine whether said modified set of rules 

d e crea seg. malic eus uetw i . 1- nal'tic, and to promote said 1 > ik > > i 

temporary.Mt.to 

decreases said malicious network traffic; and 

dd ■ > t >; p" "ti-,- io^ic opeiabieto determine e] 1 . v. lihed \et ot 
rules slows malware propagation, and to promote said modified set of rules from said 
temporary set to said permanent set if it is determined that said modified set of rules 
slows said malware propagation; 

wherein one of said at least one secondary set of one or more external program 
calls precedes said primary set of one or more external program calls within said stream 
of external program calls; 

wherein said set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program calls, said new rule thereafter being used 
in addition to other roles within said set of rules. 



36. {Cancelled} 
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37. (Original) An apparatus as claimed in claim 35, wherein said external program 
calls are application program interface calls to an operating system. 

38. (Original) Art apparatus as claimed in claim 35, wherein each of said external 
program cal ls has one or more characteristics compared against said set of rules. 

39. (Original) An apparatus as claimed in claim 38. wherein said one or more 
characteristics include ; 

a call, name; 
a return address; 

one or more parameter values; and 
one or more returned results. 

40. (Original) An apparatus as claimed in claim 35, wherein rules within said set of 
rules specify score values of external program calls having predetermined characteristics 
and a set of one or more external program cal ls is identified as corresponding to 
■malicious computer program activity if said set of one or more external program calls has 
a. combined score value exceeding a threshold level. 

41 . (Previously Presented) An apparatus as claimed in claim 40, wherein score values 
within a set of rules associated with said secondary set of one or more external program 
cal ls are increased to more strongly associate said secondary set of external program calls 
with malicious computer program activity. 

42. { Original } An apparatus as claimed in claim 35, wherein, said set of rules include 
at least one of: 

one or more pattern matching rules; and 
one or more regular ex pression rules. 

43. (Original) An apparatus as claimed in claim 35, wherein said set of rules are 
responsive to ordering of external program calls. 
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44. (Original) An apparatus as claimed in claim 35 wherein said modifying logic 
dynamically adapts said set of rules in response to detected streams of external program 
calls performing malicious computer program activity. 

45. (Previously Presented) An apparatus as claimed in claim 35, wherein at least 
changes within said set of rules are transmuted to one or more remote computers such 
that said one or more remote computers can use said modified set of rules without having 
to suffer said malicious computer program activity. 

46. {Original) An apparatus as claimed in claim 35, wherein changes within said set 
of rules are transmitted to a rule supplier. 

47. (Original) An apparatus as claimed in claim 35, wherein said stream of external 
program calls are logged following emulation of execution of a computer program. 

48. (Cancelled) 

49. (Original) An apparatus as claimed in claim 35, comprising starting point 
identifying logic operable to identify a starting point of malicious computer program 
acti vity within said stream of external program calls. 

50. (Original) An apparatus as claimed in claim 49, wherein said starting point 
corresponds to one of: starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

5 1 . (Original) An apparatus as claimed in claim 35, wherein said set of rules is 
subject to a validity check after modification to determine if said set of rules is more 
effectively detecting malicious computer program activity'. 
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52. (Currently Amended) A computer program product as claimed in claim I , further 
comprising i level rules to [| t oi ties ind promoti ng 
said modified set of rules from [[all said temporary set to [fa]] said permanent set based on 
the application of the high level rules to [[tire]] said modified set of rules. 

53. (Cancelled) 

54. (Cancelled) 

55. (New) A computer program product as claimed in claim I , wherein one or more 
higher-level rules are applied to said modified set of rules to determine if said modified 
set of rules is more effectively detecting malicious computer program activity after 
modification. 



